| Message ID | 20190223122404.21137-1-minipli@googlemail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | tools lib traceevent: Fix BOF in arg_eval() when printing large negative values | expand |
diff --git a/lib/traceevent/event-parse.c b/lib/traceevent/event-parse.c index 6f7f4be3c4ea..a8a4366d51cc 100644 --- a/lib/traceevent/event-parse.c +++ b/lib/traceevent/event-parse.c @@ -2457,7 +2457,7 @@ static int arg_num_eval(struct tep_print_arg *arg, long long *val) static char *arg_eval (struct tep_print_arg *arg) { long long val; - static char buf[20]; + static char buf[22]; switch (arg->type) { case TEP_PRINT_ATOM:
The buffer for printing large negative values is one byte too small as can be seen below when trying to print LONG_MIN: $ printf "%lld" $[0x8000000000000000] | wc -c 20 The number already needs 20 bytes, plus the '\0' terminator makes it 21 bytes. This results in a buffer overflow that gets detected by the _FORTIFY_SOURCE logic and, in turn, ends up in an abort(3) call. Resize the buffer to 22 bytes to have yet another spare byte. Signed-off-by: Mathias Krause <minipli@googlemail.com> --- This commit should probably be backported to, at least, the trace-cmd-stable-v2.6 branch as I ran into the issue there by using the stock Debian/testing version of trace-cmd, trying to do a 'trace-cmd report' on a large trace file. --- lib/traceevent/event-parse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)